In 30 days, we will begin enforcing the whitelist such that any URL
not added to the whitelist will fail. This means that URLs can no
longer be programmatically overridden in calls to the
oauth/request_token endpoint 112. The callback_url parameter provided
must match one of the whitelisted callback URLs. While we generally
provide longer than a 30-day notice for changes like this, this
timeline allows us to continue to provide a safe and secure experience
for developers and our users.

You can add callback URLs to your whitelist on the applications
settings page on apps.twitter.com 488.

Enable the setting “Enable Callback Locking” to test that only URLs
you have whitelisted are accepted. Callback URLs will automatically be
locked and the whitelist will be enforced starting on June 12th. The
“Enable Callback Locking” setting will be removed on this date.

I could not get this to work in development with 127.0.0.1 so I ended up creating a DNS A record that pointed to 127.0.0.1 (e.g., dev.example.com) and used that in the callback url settings on https://apps.twitter.com.